onHacks

Nepenthes has been collecting data these few days, and I’d like to share some of the rough data now. Since it is just a single server, do not generalize it over the banks’, corporates’, significantly valued servers’ situation, but this is what YOUR computer can see. Remember, I never exposed the honeypot, so ALL connections are malicious.

** Most Attacks Region **
[       Russian Federation] has 57 attacks on you.
[                   Taiwan] has 36 attacks on you.
[                   Brazil] has 32 attacks on you.
[                  Germany] has 21 attacks on you.
[            United States] has 20 attacks on you.
[                    Italy] has 16 attacks on you.
[                  Romania] has 15 attacks on you.
[           United Kingdom] has 14 attacks on you.
[       Korea, Republic of] has 13 attacks on you.
[                    India] has 11 attacks on you.
[                   Poland] has 10 attacks on you.
[              Philippines] has 10 attacks on you.
[                    Japan] has 10 attacks on you.
[                   Canada] has 9 attacks on you.
[                 Bulgaria] has 9 attacks on you.
[                  Hungary] has 8 attacks on you.
[                 Malaysia] has 8 attacks on you.
[                   France] has 6 attacks on you.
[                Argentina] has 6 attacks on you.
[                    China] has 6 attacks on you.

This is 12 July 2009.

Apparently, Russian seems to be the largest supplier of zombies (much like Resident Evil!), being steadily the first ( I have a week of data ). Next, surprisingly (to me), comes Taiwan. The next one is easy, Brazil, as Microsoft SIR 5th report geolocation section has suggested. The next one is Germany, which is not like what I’ve seen on Microsoft SIR 5th. Afterall, this is just too weak to generalize, but you can check it out.

Remember, IP address has no national boundaries.

** Most Visited Ports **
[  445] : 385
[  135] : 39
[  139] : 7
[   25] : 1

Port 445 and Port 135 score highest. Very likely to be :

Port 445 – MS04-011 at http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx

Port 135 -MS03-026, a.k.a W32 Blaster at http://www.microsoft.com/technet/security/bulletin/MS03-026.mspx

I am still in the middle of making sense of all the data, but the above is something you may glimpse from the mess.

(Yes, I think I should write an English version for the previous “Who is hacking me?” post.)

(7/16/2009 Updated title, and read here for the first story.)

===

Reference / 參考 / 参考 / さんこう / Referencia / Referenz / Справка :

Microsoft Security Intelligence Report volume 5
Zombie Computer – Wikipedia
殭屍電腦 – 維基百科

** Most Visited Ports **
[  445] : 385
[  135] : 39
[  139] : 7
[   25] : 1

Honeypot, Malware Nepenthes